Configuring Dynamic Multipoint VPN and Zone Based Firewall

What is a Dynamic Multipoint VPN and why to use it?

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks..

In the example below we will build two hub routers in the hub site for redundancy and two spoke sites. Users sitting behind these routers must be able to reach other site and any new networks provisioned in either site should be advertised to the router is the opposite site automatically. Spoke site should learn routes and advertise the local routes to the hub sites but other spoke sites should not learn routes for other spoke sites. Users in either location must only be allowed to access the site using approved protocols such as FTP, HTTP, DNS, etc. Lastly, each router must be configured for a firewall to protect the device and users from Internet attack without impeding the ability to establish a site-to-site VPN.

Steps to configure DMVPN on hub routers

Step 1: Perform a basic router configuration on R1 and R2 to establish connectivity. Notice the NAT access-list 101 include a deny clause to prevent the remote VPN traffic from using NAT.

Verify the configuration

Now that the configuration is finished lets verify the configuration. Using the show dmvpn, show crypto engine connection active, show crypto session, show crypto isakmp sa, and show crypto ipsec sa commands you can verify the VPN deployment. You can also use the show ip route and show ip eigrp neighbors command to verify dynamic routing is properly working. Lastly, use the ping command to verify connectivity.

Related Posts

What is load sharing and why to use it?Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP Read more…

What is a Site-to-site IPsec VPN and why to use it?A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data as if their computers Read more…